Saturday, August 23, 2014

It was a long time since I looked at the landing pane of Nuclear exploit kit when I saw the post from Brad (@malware_traffic) over at malware-traffic-anlysis.net. Thanks to him for the live redirector :).
So I wanted to take a look at what this bad stuff was up to these days. Most of i covered by @malware_traffic but a couple of new things her if you take the time and read through it.

2. Decoded landing

With the landing decoded we can see how this kit is built up and what malicious capabilities it has.

2a. Plugin detect 0.8.7

What is really detected

2b. Java exploitation

2c. PDF exploitation

2d. Flash exploitation

4. Ending

This should not be the ending, but as the re-director went cold before I could finish all my coffee this adventure ended early. But as we have seen we got the exploit capabilyties out in the open and there seem to be little new to Nuclear pack. Hopefully I get the chance to look more into the details in the near future.

So if you come a cross a live one please hook me up on mail or twitter.

If flash is installed depending on MSHTML version and browser type print the object tags to the document. Download izUTRQ for the exploit.
What to exec: hxxp: //rapido.callsphones.com:13014/voting.php?warez=283&rates=27&popular=4&jobs=335&forward=171&radio=663&howto=333&virus=325. Is the link to the malware to download.